CVE-2026-10750 PUBLISHED

Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools

Assigner: WPScan
Reserved: 03.06.2026 Published: 01.07.2026 Updated: 01.07.2026

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.

Product Status

Vendor Unknown
Product Royal MCP
Versions Default: unaffected
  • affected from 0 to 1.4.26 (excl.)

Credits

  • Alessandro Greco aka Aleff finder
  • WPScan coordinator

References

Problem Types

  • CWE-862 Missing Authorization CWE